docs(backend-auth): correct the skip_signature callout — it IS honored#68
Merged
Conversation
The "Static Backend Credentials" section had the credential/signing relationship backwards: - It claimed omitting access_key_id/secret_access_key yields unsigned requests "automatically." It doesn't: object_store's S3 builder falls back to its default credential chain (InstanceCredentialProvider, env, ...) and still signs (object_store 0.13.1 builder.rs build()). - A NOTE claimed skip_signature "is not honored and has no effect." It is: create_builder (crates/core/src/backend/mod.rs) passes every backend_options entry to object_store via with_config, which parses "skip_signature" -> AmazonS3ConfigKey::SkipSignature and skips SigV4. skip_signature is in fact the control for unsigned/public-bucket access (used by examples/server/config.toml and the cf-workers wrangler configs). docs/configuration/buckets.md already documented it correctly, so this also resolves an internal contradiction. The federation path's apply_to clears skip_signature precisely to turn signing back on. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
📖 Docs preview deployed to https://multistore-docs-pr-68.development-seed.workers.dev
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
docs/auth/backend-auth.mddocumented backend signing backwards. The "Static Backend Credentials" section claimed:access_key_id/secret_access_keymakes the proxy "issue unsigned requests automatically."skip_signature"is currently not honored by the proxy and has no effect."Both are wrong, and they contradicted
docs/configuration/buckets.md, which already documentsskip_signature = "true"for unsigned/anonymous access.What's actually true (verified against object_store 0.13.1)
create_builder(crates/core/src/backend/mod.rs:175) applies every parseable option:if let Ok(key) = k.parse() { b = b.with_config(key, v) }.skip_signature→AmazonS3ConfigKey::SkipSignature(builder.rs:497) and applies it (:646); when set,AmazonS3skips SigV4 and issues unsigned requests (with_skip_signature,:907).skip_signatureunset, object_store'sbuild()falls back to theInstanceCredentialProvider(builder.rs:1034+) and signs — it does not go anonymous.So
skip_signature = "true"is the actual control for public-bucket access, and it's used byexamples/server/config.tomland the cf-workers wrangler examples. The OIDC backend-auth path even clearsskip_signatureinFederatedCredentials::apply_tospecifically to re-enable signing.Change
Rewrites the section: anonymous access needs
skip_signature = "true"(with an example), and the NOTE now states it is honored and required, with the correct fallback when it's absent. Docs-only; no code change.🤖 Generated with Claude Code